You can use a script to generate a self-signed server
certificate for S3 clients that perform strict hostname validation and do not
support disabling strict hostname validation, such as ONTAP clients using FabricPool.
In production environments, you should use a certificate that is
signed by a known Certificate Authority (CA). Certificates signed
by a CA can be rotated non-disruptively. They are also more secure
because they provide better protection against man-in-the-middle
attacks.

Before you begin

To perform this task, you need specific access permissions. For details, see information about controlling system access with administration user accounts and groups.

You must have the Passwords.txt file.

Steps

Obtain the fully qualified domain name (FQDN) of each API Gateway Node.

For --domains, use wildcards to represent the
fully qualified domain names of all API Gateway Nodes. For example, *.sgws.foo.com uses the * wildcard to represent gn1.sgws.foo.com and gn2.sgws.foo.com.

Set --type to storage to configure the certificate used
by S3 and Swift storage clients.

By default, generated certificates are valid for one year
(365 days) and must be recreated before they expire. You can use the
--days argument to override the default validity period.

Note: A certificate's validity period begins when
make-certificate is run. You must ensure the S3 client is synchronized to
the same time source as StorageGRID Webscale; otherwise, the client might reject the certificate.